CN115344881B - Hard disk encryption and decryption device and method, hard disk and I/O interface - Google Patents

Hard disk encryption and decryption device and method, hard disk and I/O interface Download PDF

Info

Publication number
CN115344881B
CN115344881B CN202211276219.5A CN202211276219A CN115344881B CN 115344881 B CN115344881 B CN 115344881B CN 202211276219 A CN202211276219 A CN 202211276219A CN 115344881 B CN115344881 B CN 115344881B
Authority
CN
China
Prior art keywords
data
module
encryption
hard disk
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211276219.5A
Other languages
Chinese (zh)
Other versions
CN115344881A (en
Inventor
朱敏
张继璠
徐健
王宇峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuxi Muchuang Integrated Circuit Design Co ltd
Original Assignee
Wuxi Muchuang Integrated Circuit Design Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuxi Muchuang Integrated Circuit Design Co ltd filed Critical Wuxi Muchuang Integrated Circuit Design Co ltd
Priority to CN202211276219.5A priority Critical patent/CN115344881B/en
Publication of CN115344881A publication Critical patent/CN115344881A/en
Application granted granted Critical
Publication of CN115344881B publication Critical patent/CN115344881B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F13/14Handling requests for interconnection or transfer
    • G06F13/20Handling requests for interconnection or transfer for access to input/output bus
    • G06F13/28Handling requests for interconnection or transfer for access to input/output bus using burst mode transfer, e.g. direct memory access DMA, cycle steal
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2213/00Indexing scheme relating to interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • G06F2213/0032Serial ATA [SATA]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Abstract

The application discloses a hard disk encryption and decryption device, a method, a hard disk and an I/O interface. The device comprises: the first interface module is electrically connected with the first storage module and is used for connecting an upper computer; the second interface module is electrically connected with the second storage module and is used for connecting a target hard disk; the first storage module is respectively connected with the first interface module and the encryption and decryption module and is used for storing data to be encrypted; the second storage module is electrically connected with the second interface module and the encryption and decryption module respectively and is used for storing encrypted data obtained after the data to be encrypted are encrypted; the encryption and decryption module is used for executing encryption operation on the data to be encrypted; the control module is used for initializing the interface module and the encryption and decryption module; wherein, the first memory module and the second memory module each comprise a FIFO memory. The data flow control is controlled by hardware through a bus, data with any length can be transmitted, the copying times are reduced, the operation efficiency and the transmission speed are improved, and the controller occupancy rate is low.

Description

Hard disk encryption and decryption device and method, hard disk and I/O interface
Technical Field
The present invention relates to the technical field of computer hard disks, and in particular, to a hard disk encryption and decryption device, a hard disk encryption method, a hard disk decryption method, a storage medium, an electronic device, a hard disk, and an I/O interface.
Background
Hard Disk Drive (HDD) is an important component of a computer system for storing data, and system and user data are stored in the Hard Disk by default in a plaintext form, and if the Hard Disk is lost, data leakage of the user will be caused.
In the prior art, hard disk bridging encryption is usually realized by a buffer area mode, but the encryption mode has the following defects:
data slicing is required: due to hardware limitation, the buffer area cannot be infinitely large, especially for a System-on-a-chip (SoC) SRAM (Static Random-Access Memory, SRAM) formed by a microprocessor, which is typically tens to hundreds of KB (KiloByte); while SATA (serial advanced technology attachment Serial Advanced Technology Attachment, SATA) can transmit tens of megabytes of data at most per command, so that data needs to be sliced and transmitted for multiple times, which affects the transmission rate;
the production cost is high: the selection of the size, the type and the transmission rate of the buffer area has great influence on the hardware cost;
copy data multiple times: the buffer area mode is equivalent to 2 times of data transmission, and even if the buffer area is large enough, the buffer area has an influence on the speed;
The controller occupancy rate is high: the buffer area mode requires high participation of the controller; because the buffer area mode can not be used for automatic flow control, the controller is needed to participate for many times every time of reading and writing, and the overall efficiency of the system is greatly affected.
Therefore, a new hard disk encryption/decryption device is needed to solve at least the above-mentioned drawbacks of the prior art.
Disclosure of Invention
Aiming at the problems, the application provides a hard disk encryption and decryption device, a hard disk encryption method, a hard disk decryption method, a storage medium, electronic equipment, a hard disk and an I/O interface, and at least the defects of data slicing, high production cost, low speed, high controller occupancy rate and the like which are needed for realizing hard disk bridging encryption in a buffer area mode are overcome.
In a first aspect of the present application, there is provided a hard disk encryption/decryption device, the device comprising:
the first interface module is electrically connected with the first storage module and is used for connecting an upper computer;
the second interface module is electrically connected with the second storage module and is used for connecting a target hard disk;
the first storage module is electrically connected with the first interface module and the encryption and decryption module respectively and is used for storing the data to be encrypted sent by the upper computer, and the second storage module is used for storing the encrypted data obtained after the encryption operation is performed on the data to be encrypted under the condition that the first storage module stores the data to be encrypted;
The second storage module is electrically connected with the second interface module and the encryption and decryption module respectively and is also used for storing data to be decrypted read from the target hard disk, and the first storage module is also used for storing decrypted data obtained after decryption operation is performed on the data to be decrypted under the condition that the second storage module stores the data to be decrypted;
the encryption and decryption module is respectively and electrically connected with the first storage module and the second storage module and is used for executing encryption operation on the data to be encrypted under the condition that the data to be encrypted is received in the first storage module; or, the device is used for executing decryption operation on the data to be decrypted under the condition that the data to be decrypted is received in the second storage module;
the control module is electrically connected with the first interface module, the second interface module and the encryption and decryption module respectively and is used for initializing the first interface module, the second interface module and the encryption and decryption module before the encryption and decryption module executes encryption or decryption operation;
wherein the first memory module and the second memory module each comprise a FIFO memory.
Further, the first interface module and the second interface module each include a SATA interface.
Further, the first interface module is connected with the first storage module and the second interface module is connected with the second storage module through an AXI bus.
Further, the control module includes:
the receiving unit is used for reading the FIS information of the data to be written from the first interface module when the upper computer executes the writing operation;
the analysis unit is used for analyzing the FIS information of the data to be written according to a preset analysis rule so as to obtain the storage information of the data to be written in the hard disk;
and the configuration unit is used for sending the storage information to the second interface module so as to ensure that the data to be written is successfully written into the hard disk.
Further, the configuration unit is further configured to configure transmission registers of the first interface module and the second interface module, and is configured to configure a key of the encryption/decryption module.
In a second aspect of the present application, there is provided a hard disk encryption method implemented based on the hard disk encryption/decryption device as described above, the method including:
Responding to a data writing instruction sent by the upper computer, and writing data to be encrypted into a first memory through a first interface module;
under the condition that the first memory is detected to receive the data to be encrypted, an encryption and decryption module is used for executing encryption operation on the data to be encrypted to obtain encrypted data;
moving the encrypted data from the first memory to a second memory;
and writing the encrypted data into the hard disk when the second memory is detected to receive the encrypted data.
Further, the method further comprises the following steps:
and under the condition that the first memory sends out a full signal, executing back pressure operation on the first interface module so as to control the upper computer to stop writing data operation.
In a third aspect of the present application, a hard disk decryption method is provided, which is implemented based on the hard disk encryption and decryption device as described above, and the method includes:
reading encrypted data in the hard disk to a second memory through a second interface module in response to a data reading instruction sent by the upper computer;
in case that the second memory is detected to receive the encrypted data, performing decryption operation on the encrypted data by an encryption and decryption module to obtain decrypted data;
Moving the decrypted data from the second memory to a first memory;
and under the condition that the first memory is detected to receive the decrypted data, reading the decrypted data into the upper computer.
Further, the method further comprises the following steps:
and under the condition that the second memory sends out a null signal, executing a blocking operation on the second interface module to stop executing a data reading operation on the hard disk.
In a fourth aspect of the present application, a computer-readable storage medium is provided, storing a computer program executable by one or more processors to implement a method as described above.
In a fifth aspect of the present application, there is provided an electronic device comprising a memory and one or more processors, said memory having stored thereon a computer program which, when executed by said one or more processors, performs a method as described above.
In a sixth aspect of the present application, there is provided a hard disk comprising: an apparatus as described above, or an electronic device as described above.
In a seventh aspect of the present application, there is provided an I/O interface configured in a computer or a mobile terminal, the I/O interface including: an apparatus as described above, or an electronic device as described above.
Compared with the prior art, the technical scheme of the application has the following advantages or beneficial effects:
data do not need to be sliced: SATA DMA (direct memory access Direct Memory Access, DMA for short) writes data to one side of a pipe and directly reads the encrypted/decrypted data from the other side. The encryption pipeline is hardware logic designed in the chip, an encryption and decryption module is integrated in the chip, only one FIFO (first in first out First In First Out, FIFO for short) with small capacity is needed, and data flow control is controlled by hardware through a bus, so that data with any length can be transmitted;
the cost is saved: the buffer area is not needed, only one FIFO with small capacity is needed, and the production cost can be greatly reduced;
multiple copies are not required: in the encryption pipeline mode, SATA data is directly written into the FIFO, the encryption and decryption module is also used for directly reading and writing the FIFO, the need of data copying does not need to be copied back and forth to a buffer area, the copying times are reduced, and the operation time is saved;
the controller occupancy rate is low: in the buffer mode, the controller is involved, so that the processes of interrupting, configuring a plurality of registers and the like are needed, and the operation time consumption is seriously increased. In the mode, the transmission speed is high because the occupancy rate of the controller is low;
The transmission speed is high: the data transmission and encryption and decryption processes are all controlled by hardware, the DMA of the SATA controllers at two sides can be started at the same time, and one command is only transmitted by one DMA, which is equivalent to the mode of not bridging SATA direct connection, and the highest transmission speed approaching to the SATA protocol can be realized.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present application, and that other drawings may be obtained according to the drawings provided without inventive effort to a person of ordinary skill in the art.
FIG. 1 is a schematic diagram of a SATA architecture.
FIG. 2 is a diagram of FIS ID.
Fig. 3 is a schematic diagram of an overall architecture of hard disk bridging encryption.
Fig. 4 is a schematic diagram of a hard disk bridging encryption architecture implemented by a buffer area mode.
Fig. 5 is a schematic structural diagram of a hard disk encryption and decryption device according to an embodiment of the present application.
Fig. 6 is a workflow diagram of an encryption pipeline implementation bridging encryption device according to an embodiment of the present application.
Fig. 7 is a flowchart of a hard disk encryption method according to an embodiment of the present application.
Fig. 8 is a flowchart of a hard disk decryption method according to an embodiment of the present application.
Fig. 9 is a connection block diagram of an electronic device according to an embodiment of the present application.
Reference numerals:
in fig. 5, 501-control module, 502-encryption and decryption module, 503-first storage module, 504-second storage module, 505-first interface module, 506-second interface module, 507-AXI bus.
Detailed Description
The following will describe embodiments of the present application in detail with reference to the drawings and examples, thereby how to apply technical means to the present application to solve technical problems, and realizing processes achieving corresponding technical effects can be fully understood and implemented accordingly. The embodiments and the features in the embodiments can be combined with each other on the premise of no conflict, and the formed technical schemes are all within the protection scope of the application.
In order to make the purposes, technical solutions and beneficial effects of the embodiments of the present application more clear, the technical solutions in the embodiments of the present application will be described in detail below with reference to the accompanying drawings and specific embodiments of the present application.
In the following, some technical terms in the embodiments and the prior art of the present application are explained first, so that those skilled in the art can understand the technical solutions of the present application.
Bridge chip: the Bridge Chip is an auxiliary Chip and has the main function of being used for connecting two different media and electronic equipment to perform signal conversion and transmission.
SATA: SATA, serial ATA (Serial ATA), is called Serial advanced technology attachment Serial Advanced Technology Attachment, which is a new specification of a hard disk interface commonly proposed by companies such as Intel, IBM, maxtor and Seagate, and because a Serial connection manner is adopted, a hard disk using a SATA interface is called a Serial hard disk, the SATA specification increases an external transmission rate theoretical value of the hard disk to 150MB/s, and SATA components include two types: SATA hosts (SATA host) and SATA devices (SATA devices).
SATA protocol: the high-speed serial transmission protocol is characterized in that the highest data transmission rate can reach 6.0Gb/s, and the PATA (parallel ATA) is replaced as a standard for the communication between a hard disk and a PC; the SATA interface has the characteristics of large transmission bandwidth, simple physical structure, hot plug support, strong error detection capability and the like, and can meet the requirements of most of large-capacity storage devices on interface functions, so that the SATA interface is used by the large-capacity storage devices in the current mainstream; the SATA architecture is shown in fig. 1, and fig. 1 is a schematic diagram of a SATA architecture, where the SATA architecture is a physical layer, a link layer, a transport layer, and an application command layer from bottom to top, where the physical layer is responsible for operations such as serialization and deserialization of data, clock recovery, OOB (out-of-band signal) communication, and K code detection, the link layer is responsible for operations such as 8b/10b codec, scrambling and descrambling, CRC check, and reception and transmission of FIS, the transport layer is responsible for operations such as framing and deframeing, FIFO control, and the application command layer is responsible for operations such as execution of commands and maintenance of register information.
Hard disk: the Hard Disk of the computer is the most main storage device of the computer, and the Hard Disk (HDD for short) is composed of one or more aluminum or glass disks, wherein the exterior of the disks is covered with ferromagnetic material; is an important component of the computer system for storing data, and the system and user data are stored in a hard disk in a plaintext form by default, and if the hard disk is lost, the data leakage of the user can be caused.
IP: integrated Packet.
SATA host interface: (SATA Host IP, SATA Host side integrated packet) for operating an interface of a hard disk, the SATA Host IP implements not only PHY (physical layer), link (Link layer), and TRN (transport layer) of SATA protocol, but also CMD (command layer) and APP (application layer), and the SATA Host IP provides an efficient and easy-to-use interface for a user to use SATA storage device.
SATA device interface: (SATA Device IP, SATA Device side integrated packet) for operating interfaces at the host side.
MCU: the micro control unit (Micro Controller Unit, MCU for short), also called single chip microcomputer (Single Chip Microcomputer) or single chip microcomputer, is to properly reduce the frequency and specification of the central processing unit (Central Process Unit, CPU for short), and integrate the peripheral interfaces such as memory (memory), counter (Timer), USB, A/D converter (analog to digital converter, A/D converter or adc), UART (universal asynchronous receiver Transmitter Universal Asynchronous Receiver/Transmitter, UART), PLC (programmable logic controller Programmable logic Controller, PLC), DMA (direct memory access, direct Memory Access, DMA for short) and even LCD (LCD Liquid Crystal Display, LCD for short) driving circuits on a single chip to form a chip-level computer for different application occasions to perform different combination control; such as mobile phones, PC peripherals, remote controllers, to automotive electronics, industrial stepper motors, robotic arm control, etc., can see the shadow of the MCU.
UART: a universal asynchronous receiver Transmitter (Universal Asynchronous Receiver/Transmitter, UART for short), which is an asynchronous receiver Transmitter, is part of the computer hardware. It converts the data to be transmitted between serial communication and parallel communication. As a chip for converting parallel input signals into serial output signals, UARTs are typically integrated on the connection of other communication interfaces. UARTs, which are one type of asynchronous serial communication protocol, operate on the principle that each character of the transmitted data is transmitted bit by bit.
DMA: direct memory access (Direct Memory Access, DMA for short) is an important feature of all modern computers, which allows hardware devices of different speeds to communicate without relying on the massive interrupt load of the CPU. Otherwise, the CPU needs to copy each piece of data from the source to the register and then write them back to the new place again. During this time, the CPU is not available for other tasks. DMA transfers copy data from one address space to another. When the CPU initiates this transfer action, the transfer action itself is carried out and completed by the DMA controller. A typical example is to move a block of external memory to a faster memory area inside the chip. Operations such as this do not hold the processor work off, but may be rearranged Cheng Quchu to handle other work. DMA transfer is important for high performance embedded system algorithms and networks.
Bus: the Bus (Bus) is a public communication trunk line for transmitting information among various functional components of the computer, and is a transmission line bundle composed of wires, and according to the information type transmitted by the computer, the Bus of the computer can be divided into a data Bus, an address Bus and a control Bus, and the data Bus, the address Bus and the control Bus are respectively used for transmitting data, data addresses and control signals; the bus is an internal structure, and is a public channel for transmitting information by CPU, memory, input and output devices, all components of the host are connected by the bus, and the external device is connected with the bus by a corresponding interface circuit, so that a computer hardware system is formed; in a computer system, a common path for information to be transferred between components is called a bus, and a microcomputer connects the functional components in a bus structure.
AXI bus: AXI (Advanced eXtensible Interface, AXI for short) is a bus protocol, which is the most important part of AMBA (advanced microcontroller bus architecture Advanced Microcontroller Bus Architecture, AMBA for short) 3.0 protocol proposed by ARM corporation, and is an on-chip bus for high performance, high bandwidth and low latency; the address/control and the data phase are separated, the misaligned data transmission is supported, meanwhile, in burst transmission, only the first address is needed, and meanwhile, a separated read-write data channel is supported, and the outlining transmission access and the disordered access are supported, so that the timing sequence convergence is easier to carry out; AXI is a new high performance protocol in AMBA, and AXI technology enriches the existing AMBA standard content and meets the requirements of ultra-high performance and complex system on chip (SoC) design.
Symmetric encryption: the encryption method of the single key cipher system is adopted, the same key can be used for encrypting and decrypting information at the same time, and the encryption method is called symmetric encryption and also called single key encryption; an encryption algorithm that requires the same key for encryption and decryption; because of its fast speed, symmetric encryption is usually used when a message sender needs to encrypt a large amount of data, and symmetric encryption is also called key encryption, and is that both parties adopting the encryption method use the same key for encryption and decryption; the key is an instruction that controls the encryption and decryption process, and the algorithm is a set of rules that specify how the encryption and decryption is to be performed.
FIS: the (rack information structure Frame Information Structure, abbreviated as FIS) FIS is a mechanism for information transfer between Host and device, each FIS is fixed in format and corresponds to a unique ID, SATA Spec defines a 14-class FIS ID, as shown in fig. 2, and fig. 2 is a schematic diagram of a FIS ID.
SRAM: a Static Random-Access Memory (SRAM) is one type of Random Access Memory; by "static", it is meant that such memory is constantly maintained for as long as it remains powered on, with the data stored therein; in contrast, data stored in Dynamic Random Access Memory (DRAM) needs to be periodically updated; however, when the power supply is stopped, the data stored in the SRAM is lost (called as volatile memory), unlike the ROM or flash memory which can store data after power failure, the SRAM can store the data stored in the SRAM without a refresh circuit, and the DRAM (Dynamic Random Access Memory, simply referred to as DRAM) is refreshed and charged once every a while, otherwise, the internal data is lost, so that the SRAM has higher performance, but the SRAM has the disadvantages that the SRAM has lower integration level, the power consumption is higher, the DRAM memory with the same capacity can be designed into a smaller volume, but the SRAM needs a larger volume, and the DRAM with larger capacity can be manufactured by the same area of silicon chip, so that the SRAM is more expensive.
System on chip: system-on-a-chip (SoC) refers to a technology of integrating a complete System on a single chip to perform packet grouping on all or part of necessary electronic circuits, wherein the complete System generally comprises a Central Processing Unit (CPU), a memory, peripheral circuits and the like; socs have been developed in parallel with other technologies, such as Silicon-On-Insulator (SOI) which can provide an enhanced clock frequency, thereby reducing the power consumption of the microchip.
Handshake and backpressure: in the (handle & Back-pressure) chip design, two operations are adopted when flow control of the flow design is carried out; when the ingress traffic is greater than the egress traffic, back pressure is required, or when the later stage is not ready, if the present stage is doing data transfer, it is required to back pressure the earlier stage, so the earlier stage needs to keep the data still until the handshake is successful and the data cannot be updated.
FIFO: the FIFO is an abbreviation of english First In First Out, which is a first-in first-out data buffer, and is different from a general memory in that there is no external read-write address line, so that the use is very simple, but the disadvantage is that only data can be sequentially written, data can be sequentially read out, the data address is automatically added by 1 by an internal read-write pointer, and a specified address cannot be read or written by an address line as in the general memory. The FIFO memory is a buffer link of the system, and if the FIFO memory is not provided, the whole system cannot work normally, and the FIFO memory mainly has several functions:
(1) Caching the continuous data stream to prevent data loss during the machine entering and storage operations;
(2) The data are gathered to be pushed and stored, so that frequent bus operation can be avoided, and the load of a CPU (Central processing Unit) is reduced;
(3) And the system is allowed to conduct DMA operation, so that the data transmission speed is improved. This is a critical point, and if no DMA operation is used, the data transmission will not meet the transmission requirement, and the burden of the CPU is greatly increased, so that the data storage work cannot be completed at the same time.
Several important parameters of FIFO:
width of FIFO: data bit N of FIFO one-time read-write operation;
depth of FIFO: how many N bits of data in width can be stored by the FIFO;
empty flag: for the double-clock FIFO, the double-clock FIFO is divided into a read empty mark rdempty and a write empty mark wrempty, and a signal is sent out by a status circuit of the FIFO when the FIFO is empty or is about to be empty so as to prevent the read operation of the FIFO from continuously reading data from the FIFO and causing the reading of invalid data;
full flag: for the double-clock FIFO, the double-clock FIFO is divided into a read full mark rdfull and a write full mark wrfill, and when the FIFO is full or is about to be written, a signal is sent out by a state circuit of the FIFO so as to prevent the write operation of the FIFO from continuing to write data into the FIFO and causing overflow;
Read clock: the clock followed when reading the FIFO is triggered at the rising edge of each clock;
write clock: the clock followed when writing the FIFO is triggered on the rising edge of each clock.
Next, two hard disk encryption methods currently used in the art will be briefly described.
Bridge mode profile for SATA hard disk encryption: fig. 3 is a schematic diagram of an overall architecture of a hard disk bridge encryption system, such as the hard disk encryption architecture of the bridge system shown in fig. 3, where an encryption bridge chip needs to encrypt data written into a hard disk device and decrypt data read from the hard disk device, so that serial data streams need to be parsed step by step to obtain written or read data, and to obtain the data, a physical layer and a link layer must be implemented according to SATA protocols.
Buffer mode realizes hard disk bridging encryption introduction: fig. 4 is a schematic diagram of a hard disk bridging encryption architecture implemented by a buffer area, where the bridging encryption architecture shown in fig. 4 may be implemented by multiple chips or a single chip, and needs to include the following functions:
(1) SATA host interface: SATA Host IP, namely SATA Host controller, is used to connect hard disk, read/write data of hard disk, and encapsulate the data into SATA standard interface;
(2) SATA device interface: SATA Device IP, namely SATA Device controller, is used to connect with host, and to transmit data with host, and encapsulate it into SATA standard interface;
(3) MCU: a microprocessor for processing SATA commands;
(4) A password module: a circuit module for encrypting and decrypting data;
(5) Buffer zone: two SRAMs in the figure, which may be combined into one SRAM in practice, are used to store encrypted and decrypted data.
Among them, SRAM is an on-chip memory, and since the size of the on-chip memory is limited, typically from several tens to several hundred KB, it is sometimes necessary to slice data.
The method for realizing the hard disk bridging encryption in the buffer area mode comprises the following steps when hard disk data are written in:
(1) MCU receives SATA command issued by host;
(2) MCU processes SATA command to obtain length of data to be written;
(3) MCU configures and starts SATA Device DMA, receives plaintext data from host to buffer;
(4) The MCU calls a password module to encrypt data;
(5) MCU sends SATA command to hard disk;
(6) The MCU configures and initiates SATA Host DMA (DMA between the SATA Host interface and the hard disk) to write encrypted data from the buffer to the hard disk.
The method for realizing hard disk bridging encryption in a buffer area mode comprises the following steps when hard disk data are read:
(1) MCU receives SATA command issued by host;
(2) MCU processes SATA command to obtain data length to be read;
(3) MCU configures and starts SATA Host DMA, reads the encrypted data from hard disk into buffer;
(4) MCU calls a password module to decrypt the data;
(5) MCU sends SATA command to host;
(6) The MCU configures and initiates SATA Device DMA (DMA between SATA Device interface hosts) to send plaintext data from the buffer to the host.
Those skilled in the art will appreciate that some of the drawbacks of the prior art architecture for encrypting a hard disk are as follows:
(1) Data slicing is required: because of hardware limitation, the buffer area cannot be infinitely large, especially for a system on chip (SoC) SRAM formed by a microprocessor, generally, tens to hundreds of KB are also adopted, and the SATA one-time command can transmit data of tens of M bytes at maximum, so that the data is required to be sliced and transmitted for multiple times, and the transmission rate is influenced;
(2) The production cost is high: the selection of the size, the type and the transmission rate of the buffer area has great influence on the hardware cost;
(3) Copy data multiple times: the buffer area mode is equivalent to 2 times of data transmission, and even if the buffer area is large enough, the buffer area has an influence on the speed;
(4) The controller occupancy rate is high: the buffer area mode requires high participation of the controller, and because the buffer area mode cannot perform automatic flow control, the controller is required to participate for many times every time of reading and writing, and the overall efficiency of the system is greatly affected.
Based on this, the embodiment of the application provides a hard disk encryption and decryption device, which encrypts and decrypts hard disk data in a data stream manner through a password pipeline (a symmetric encryption algorithm module and two FIFOs), so that at least the defects described above are overcome.
Example 1
Fig. 5 is a schematic structural diagram of a hard disk encryption/decryption device according to an embodiment of the present application, as shown in fig. 5, an apparatus 500 according to the present embodiment includes:
the first interface module 505 is electrically connected with the first storage module 503 and is used for connecting with an upper computer;
the second interface module 506 is electrically connected with the second storage module 504 and is used for connecting with a target hard disk;
the first storage module 503 is electrically connected to the first interface module 505 and the encryption/decryption module 502, and is configured to store data to be encrypted sent by the upper computer, where the first storage module stores the data to be encrypted, and the second storage module is configured to store encrypted data obtained after performing an encryption operation on the data to be encrypted;
The second storage module 504 is electrically connected to the second interface module 506 and the encryption/decryption module 502, and is further configured to store data to be decrypted read from the target hard disk, where the first storage module is further configured to store decrypted data obtained after performing a decryption operation on the data to be decrypted when the second storage module stores the data to be decrypted;
an encryption and decryption module 502, electrically connected to the first storage module 503 and the second storage module 504, respectively, and configured to perform an encryption operation on data to be encrypted when it is detected that the data to be encrypted is received in the first storage module 503; or, in case that the data to be decrypted is received in the second storage module 504, performing a decryption operation on the data to be decrypted;
a control module 501 electrically connected to the first interface module 505, the second interface module 506, and the encryption/decryption module 502, and configured to perform an initialization operation on the first interface module 505, the second interface module 506, and the encryption/decryption module 502 before the encryption/decryption module 502 performs an encryption or decryption operation;
wherein the first memory module and the second memory module each comprise a FIFO memory.
Optionally, a corresponding encryption/decryption algorithm is set in the encryption/decryption module 502, for example, the encryption mode may be a symmetric encryption mode, in addition, encryption/decryption may be implemented by hardware, and multiple algorithms such as international general encryption algorithms such as SM4 and AES are supported, and a specific encryption/decryption mode may be selected according to actual needs of a user.
It should be noted that, in the present device, one or more encryption and decryption algorithms may be preset for the user to select.
In some possible embodiments, based on the device, the user can burn a custom encryption and decryption algorithm into the device according to the actual requirement of the user so as to meet the personalized requirement of the user.
Optionally, the hard disk includes a SATA hard disk, and the upper computer includes a host (including a computer, etc.) and/or a mobile intelligent terminal carrying an intelligent OS (Operating System, abbreviated as OS), etc.
Optionally, the control module 501 includes a microcontroller that can be used to run related firmware, initialize hardware modules, configure encryption algorithms and keys, parse and process SATA protocols.
Optionally, the control module 501 performs an initializing operation on the first interface module 505 and the second interface module 506 and the encryption/decryption module 502 before the encryption/decryption module 502 performs an encrypting or decrypting operation, including: configuring the first interface module 505 and the second interface module 506 (including configuring the length of the received data, the position where the data is stored, etc.), and starting the two interface modules after the configuration is completed; the corresponding algorithm in the encryption and decryption module 502 is configured and started.
For example, the control module 501 may have the following functions:
(1) Receiving FIS information: when the host computer side writes data, the microprocessor reads FIS information of the data to be written from the SATA equipment interface;
(2) Parsing FIS information: the microprocessor analyzes information such as the position, the length and the like of the data in the hard disk according to the definition specification of the FIS;
(3) Configuration FIS information: the microprocessor transmits the analyzed storage information of the data in the hard disk to the SATA host interface to ensure that the hard disk can normally write the data;
(4) Configuring a SATA device interface: the data transmission register is used for configuring a transmission register positioned at an interface of the SATA device, setting the work of the DMA, the source address and the destination address of the transmitted data and the total length of the transmitted data, and then starting the DMA operation;
(5) Configuring a SATA host interface: the data transmission register is used for configuring a transmission register positioned at the SATA host interface, setting the work of the DMA, the source address and the destination address of the transmitted data and the total length of the transmitted data, and then starting the DMA operation;
(6) Configuration key: the microprocessor may also be used to control the operation of the cryptographic algorithm module, such as configuring a KEY of the cryptographic algorithm module.
In some embodiments, the first interface module 505 and the second interface module 506 each comprise a SATA interface.
Optionally, the first interface module 505 includes a SATA device interface, and the second interface module 506 includes a SATA host interface, where a user of the SATA device interface is connected to a host computer, and the SATA host interface is used to connect to a hard disk, and the host computer is directly connected to the hard disk.
In some embodiments, the first interface module 505 and the first storage module 503 and the second interface module 506 and the second storage module 504 are connected by an AXI bus 507.
Optionally, the FIFO memory (including the first storage module 503 and the second storage module 504) is respectively connected to the AXI bus 507 and the encryption/decryption module 502, and they cooperate with each other to realize transmission of encrypted/decrypted data.
Furthermore, when the FIFO memory stores data, the data does not need to be sliced, and the FIFO can control the flow through means such as back pressure, blocking and the like, which is equivalent to a pipeline capable of controlling the flow, and the storage size is equivalent to infinite size, so that the data does not need to be sliced for reading and writing.
Further, the FIFO memory may control the backpressure and blocking of AXI bus 507, and the backpressure and blocking interruption to the associated interface is controlled by the empty signal (read empty flag rdempty and write empty flag wremtpy) and the full signal (read full flag rdfull and write full flag wrrfull) of the FIFO. Automatic flow control can be achieved without the involvement of the control module 501 or microcontroller.
Optionally, the encryption pipeline forwards the hard disk data between the SATA device interface and the host interface, and encrypts and decrypts the hard disk data in real time in a data stream manner, so that the device realizes hardware flow control on the bus, which is equivalent to infinite depth cache, and can transmit data with any length. The encryption pipeline uses a FIFO to buffer a piece of data, and the hardware buses (AXI buses) on two sides of the FIFO are used for flow control. When the hard disk reads and writes data, one side of the FIFO writes data to the inner side and the other side receives data continuously, so that the buffer memory is equivalent to infinite, and no buffer memory is equivalent, namely only one delay exists.
In some embodiments, the control module 501 includes:
a receiving unit, configured to read FIS information of data to be written from the first interface module 505 when the host computer performs a write operation;
the analysis unit is used for analyzing the FIS information of the data to be written according to a preset analysis rule so as to obtain the storage information of the data to be written in the hard disk;
the configuration unit is configured to send the storage information to the second interface module 506, so as to ensure that the data to be written is successfully written into the hard disk.
In some embodiments, the configuration unit is further configured to configure the transmission registers of the first interface module 505 and the second interface module 506, and to configure the keys of the encryption and decryption module 502.
Alternatively, communication may be performed between the control module 501 and the first interface module 505, and between the control module 501 and the second interface module 506 via an AHB bus.
Optionally, the workflow of the apparatus disclosed in this embodiment includes the following steps:
(1) After the device is powered on and reset, the microcontroller initializes each hardware module, loads a key and configures an encryption algorithm and a mode;
(2) The microcontroller initializes the SATA host interface and is connected with the hard disk;
(3) The microcontroller initializes the SATA device interface and is connected with the host;
(4) The microcontroller receives the SATA command issued by the host and forwards the SATA command to the hard disk;
(5) The microcontroller receives the SATA response sent by the hard disk and forwards the SATA response to the host;
(6) For SATA commands with data, the microcontroller forwards the SATA commands through an encryption pipeline to encrypt or decrypt the SATA commands in real time;
(7) The microcontroller monitors and processes abnormal events of SATA hard disk communication (including FIS transmission errors, SATA link transmission error, HBA (Host Bus Adapter) errors, and abnormal conditions that commands cannot be completed normally).
Referring to fig. 6, fig. 6 is a flowchart of an encryption pipeline implementation bridging encryption device according to an embodiment of the present application. In fig. 6, the cryptoa module is an encryption and decryption module, the AHSATA controller is a SATA Host, and the DSATA controller is a SATA Device.
For example, referring to fig. 5, an example of writing data to a hard disk by a host computer (which may be a host computer) is shown: the host sends a write command, completes the configuration of the two SATA interface modules (the first interface module 505 and the second interface module 506) and the encryption and decryption module 502 in response to the write command, and activates the two SATA interface modules and the encryption and decryption module 502; the host writes the data to be encrypted into the first storage module 503 through the first interface module 505, the encryption and decryption module 502 encrypts the data to be encrypted in real time, and moves the encrypted data to the second storage module 504; the second interface module 506 reads the encrypted data from the second storage module 504 via the AXI bus 507, said second interface module 506 being in a blocking state if there is no encrypted data in the second storage module 504, said encrypted data being read if there is encrypted data in the second storage module 504; the read encrypted data is then written to the hard disk.
It will be appreciated by those skilled in the art that the structure shown in fig. 5 is not limiting of the apparatus of the embodiments of the present application, and may include more or fewer modules/units than shown, or may combine certain modules/units, or may be arranged in different modules/units.
The device provided by the embodiment comprises: the first interface module 505 is electrically connected with the first storage module 503 and is used for connecting with an upper computer; the second interface module 506 is electrically connected with the second storage module 504 and is used for connecting with a target hard disk; the first storage module 503 is electrically connected to the first interface module 505 and the encryption/decryption module 502, and is configured to store data to be encrypted sent by the upper computer, where the first storage module stores the data to be encrypted, and the second storage module is configured to store encrypted data obtained after performing an encryption operation on the data to be encrypted; the second storage module 504 is electrically connected to the second interface module 506 and the encryption/decryption module 502, and is further configured to store data to be decrypted read from the target hard disk, where the first storage module is further configured to store decrypted data obtained after performing a decryption operation on the data to be decrypted when the second storage module stores the data to be decrypted; the control module 501 is electrically connected to the first interface module 505 and the second interface module 506, and is configured to send an encryption instruction to enable the encryption/decryption module 502 to perform an encryption operation on the data to be encrypted to obtain encrypted data, and send the encrypted data to the second storage module 504; or, the decryption instruction is sent to enable the encryption/decryption module 502 to perform a decryption operation on the data to be decrypted to obtain decrypted data, and send the decrypted data to the first storage module 503; an encryption/decryption module 502, communicatively connected to the control module 501, for performing an encryption operation on the data to be encrypted in the first storage module 503 in response to the encryption instruction; or, in response to the decryption instruction, perform a decryption operation on the data to be decrypted in the second storage module 504; wherein the first memory module and the second memory module each comprise a FIFO memory. In the process of encrypting and decrypting the hard disk, SATA DMA (direct memory access Direct Memory Access, DMA for short) writes data into one side of a pipeline, directly reads the encrypted/decrypted data from the other side, integrates an encryption and decryption module inside, only needs a small-capacity FIFO, and the data flow control is controlled by hardware through a bus, so that data with any length can be transmitted; the buffer area is not needed, only one FIFO with small capacity is needed, and the production cost can be greatly reduced; in the encryption pipeline mode, SATA data is directly written into the FIFO, the encryption and decryption module is also used for directly reading and writing the FIFO, the need of data copying does not need to be copied back and forth to a buffer area, the copying times are reduced, and the operation time is saved; the controller has low occupancy rate, so the transmission speed is high; the data transmission and encryption and decryption processes are all controlled by hardware, the DMA of the SATA controllers at two sides can be started at the same time, and one command is only transmitted by one DMA, which is equivalent to the mode of not bridging SATA direct connection, and the highest transmission speed approaching to the SATA protocol can be realized.
Example two
Fig. 7 is a flowchart of a hard disk encryption method provided in the embodiment of the present application, and as shown in fig. 7, the method in the embodiment includes:
s710, writing data to be encrypted into a first memory through a first interface module in response to a data writing instruction sent by an upper computer;
s720, under the condition that the first memory is detected to receive the data to be encrypted, an encryption and decryption module is used for executing encryption operation on the data to be encrypted to obtain encrypted data;
s730, moving the encrypted data from the first memory to a second memory;
s740, in case that the second memory is detected to receive the encrypted data, writing the encrypted data into the hard disk.
In some embodiments, further comprising:
and under the condition that the first memory sends out a full signal, executing back pressure operation on the first interface module so as to control the upper computer to stop writing data operation.
Specifically, the FIFO has a full signal that can back-pressure the write operation of the AXI bus near its end.
For example, when a host writes data to a hard disk, the data request is written to a first storage module (referred to as FIFO-1) via the SATA interface and AXI bus. But may be that the data of the encryption algorithm module is not processed at this time, resulting in FIFO-1 being full. FIFO-1 will push down the AXI bus, which will continue to interface SATA devices to the push down. When the latter module fails to process the input data of the upper module in time, the latter module is informed to pause data transmission by pulling down a Ready signal. This process is referred to as 'back pressure'. The FIFO thus acts as a flow control, back-pressure by the full signal.
Alternatively, the data written in FIFO-1 may be encrypted in real time, for example, when writing 16 bytes of data at a time, the encryption operation is started on the 16 bytes of written data in real time.
It should be noted that, how many bytes of data are written into the FIFO-1 at a time may be specifically determined according to the actual needs of the user or the specification of the connected bus.
Optionally, writing data to the hard disk includes the steps of:
1. MCU receives SATA command issued by host;
2. MCU transmits SATA command to hard disk;
3. MCU configures and starts SATA Host and SATA Device DMA at the same time, plaintext is written in from one side of encryption pipeline, ciphertext is read out from the other side and directly written in hard disk, detailed process includes (without back pressure, without blocking, the following steps are carried out in parallel by pipeline):
(1) The host writes data into the AXI bus through the SATA device interface;
(2) The AXI bus writes data into the first storage module;
(3) Once the data signal exists in the FIFO-1, an encryption algorithm is started, and the data in the FIFO-1 is encrypted;
(4) The encryption algorithm writes the encrypted data into a second memory module (which may be referred to as FIFO-2);
(5) And the SATA host interface receives the data signals in the FIFO-2 and writes the data in the FIFO-2 into the hard disk through the AXI bus.
The hard disk encryption method provided by the embodiment comprises the following steps: responding to a data writing instruction sent by the upper computer, and writing data to be encrypted into a first memory through a first interface module; under the condition that the data to be encrypted exist in the first memory, an encryption and decryption module executes encryption operation on the data to be encrypted to obtain encrypted data; moving the encrypted data from the first memory to a second memory; in case the presence of the encrypted data in the second memory is detected, writing the encrypted data into the hard disk. In the process of encrypting and decrypting the hard disk, SATA DMA (direct memory access Direct Memory Access, DMA for short) writes data into one side of a pipeline, directly reads the encrypted/decrypted data from the other side, integrates an encryption and decryption module inside, only needs a small-capacity FIFO, and the data flow control is controlled by hardware through a bus, so that data with any length can be transmitted; the buffer area is not needed, only one FIFO with small capacity is needed, and the production cost can be greatly reduced; in the encryption pipeline mode, SATA data is directly written into the FIFO, the encryption and decryption module is also used for directly reading and writing the FIFO, the need of data copying does not need to be copied back and forth to a buffer area, the copying times are reduced, and the operation time is saved; the controller has low occupancy rate, so the transmission speed is high; the data transmission and encryption and decryption processes are all controlled by hardware, the DMA of the SATA controllers at two sides can be started at the same time, and one command is only transmitted by one DMA, which is equivalent to the mode of not bridging SATA direct connection, and the highest transmission speed approaching to the SATA protocol can be realized.
Example III
Fig. 8 is a flowchart of a hard disk decryption method provided in the embodiment of the present application, and as shown in fig. 8, the method in the embodiment includes:
s810, responding to a data reading instruction sent by the upper computer, and reading encrypted data in the hard disk to a second memory through a second interface module;
s820, under the condition that the second memory is detected to receive the encrypted data, performing decryption operation on the encrypted data through an encryption and decryption module to obtain decrypted data;
s830, moving the decrypted data from the second memory to a first memory;
and S840, reading the decrypted data to the upper computer under the condition that the first memory is detected to receive the decrypted data.
In some embodiments, further comprising:
and under the condition that the second memory sends out a null signal, executing a blocking operation on the second interface module to stop executing a data reading operation on the hard disk.
Specifically, when the FIFO is empty, it causes a read operation to be blocked on the AXI bus and SATA interface near one end thereof, i.e., a round robin inquiry is performed at small time slice intervals, waiting for data to be processed.
Optionally, reading the hard disk data includes the steps of:
1. MCU receives SATA command issued by host;
2. MCU transmits SATA command to hard disk;
3. the MCU configures and starts SATA Host and SATA Device DMA at the same time, ciphertext is written from one side of the encryption pipeline, plaintext is read from the other side and directly sent to the Host, and the method specifically comprises the following steps (wherein the following steps are carried out in parallel in a pipeline):
(1) The hard disk writes data into the AXI bus through the SATA host interface;
(2) FIFO-2 for the AXI bus to write data;
(3) Once the data signal exists in the FIFO-2, a decryption algorithm is started, and the data in the FIFO-2 is decrypted;
(4) The decryption algorithm writes the decrypted data into the FIFO-1;
(5) The SATA device interface receives the data signals in the FIFO-1 and reads the decrypted data in the FIFO-1 to the host through the AXI bus.
The hard disk decryption method provided by the embodiment comprises the following steps: reading encrypted data in the hard disk to a second memory through a second interface module in response to a data reading instruction sent by the upper computer; in case that the encrypted data exists in the second memory is detected, performing decryption operation on the encrypted data by an encryption and decryption module to obtain decrypted data; moving the decrypted data from the second memory to a first memory; and under the condition that the decrypted data exists in the first memory, reading the decrypted data into the upper computer. In the process of encrypting and decrypting the hard disk, SATA DMA (direct memory access Direct Memory Access, DMA for short) writes data into one side of a pipeline, directly reads the encrypted/decrypted data from the other side, integrates an encryption and decryption module inside, only needs a small-capacity FIFO, and the data flow control is controlled by hardware through a bus, so that data with any length can be transmitted; the buffer area is not needed, only one FIFO with small capacity is needed, and the production cost can be greatly reduced; in the encryption pipeline mode, SATA data is directly written into the FIFO, the encryption and decryption module is also used for directly reading and writing the FIFO, the need of data copying does not need to be copied back and forth to a buffer area, the copying times are reduced, and the operation time is saved; the controller has low occupancy rate, so the transmission speed is high; the data transmission and encryption and decryption processes are all controlled by hardware, the DMA of the SATA controllers at two sides can be started at the same time, and one command is only transmitted by one DMA, which is equivalent to the mode of not bridging SATA direct connection, and the highest transmission speed approaching to the SATA protocol can be realized.
Example IV
The present embodiment also provides a computer readable storage medium, in which a computer program is stored, where the computer program may implement the method steps in the foregoing method embodiments when executed by a processor, and the embodiments are not repeated herein.
The computer-readable storage medium may also include, among other things, computer programs, data files, data structures, etc., alone or in combination. The computer readable storage medium or computer program may be specifically designed and understood by those skilled in the art of computer software, or the computer readable storage medium may be well known and available to those skilled in the art of computer software. Examples of the computer readable storage medium include: magnetic media such as hard disks, floppy disks, and magnetic tape; optical media such as CDROM discs and DVDs; magneto-optical media, such as optical disks; and hardware means, specifically configured to store and execute computer programs, such as read-only memory (ROM), random Access Memory (RAM), flash memory; or a server, app application mall, etc. Examples of computer programs include machine code (e.g., code produced by a compiler) and files containing higher level code that may be executed by the computer using an interpreter. The described hardware devices may be configured to act as one or more software modules to perform the operations and methods described above, and vice versa. In addition, the computer readable storage medium may be distributed among networked computer systems, and the program code or computer program may be stored and executed in a decentralized manner.
Example five
Fig. 9 is a connection block diagram of an electronic device according to an embodiment of the present application, as shown in fig. 9, the electronic device 900 may include: one or more processors 901, memory 902, multimedia components 903, input/output (I/O) interfaces 904, and communications components 905.
Wherein one or more processors 901 are adapted to perform all or part of the steps as in the method embodiments described above. The memory 902 is used to store various types of data, which may include, for example, instructions for any application or method in the electronic device, as well as application-related data.
The one or more processors 901 may be application specific integrated circuits (Application Specific Integrated Circuit, ASIC), digital signal processors (Digital Signal Processor, DSP), digital signal processing devices (Digital Signal Processing Device, DSPD), programmable logic devices (Programmable Logic Device, PLD), field programmable gate arrays (Field Programmable Gate Array, FPGA), controllers, microcontrollers, microprocessors or other electronic component implementations for performing the methods as in the method embodiments described above.
The Memory 902 may be implemented by any type or combination of volatile or nonvolatile Memory devices, such as static random access Memory (Static Random Access Memory, SRAM for short), electrically erasable programmable Read-Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM for short), erasable programmable Read-Only Memory (Erasable Programmable Read-Only Memory, EPROM for short), programmable Read-Only Memory (Programmable Read-Only Memory, PROM for short), read-Only Memory (ROM for short), magnetic Memory, flash Memory, magnetic disk, or optical disk.
The multimedia component 903 may include a screen, which may be a touch screen, and an audio component for outputting and/or inputting audio signals. For example, the audio component may include a microphone for receiving external audio signals. The received audio signal may be further stored in a memory or transmitted through a communication component. The audio assembly further comprises at least one speaker for outputting audio signals.
The I/O interface 904 provides an interface between the one or more processors 901 and other interface modules, which may be a keyboard, mouse, buttons, etc. These buttons may be virtual buttons or physical buttons.
The communication component 905 is used for wired or wireless communication between the electronic device 900 and other devices. The wired communication comprises communication through a network port, a serial port and the like; the wireless communication includes: wi-Fi, bluetooth, near field communication (Near Field Communication, NFC for short), 2G, 3G, 4G, 5G, or a combination of one or more of them. The corresponding communication component 905 may thus comprise: wi-Fi module, bluetooth module, NFC module.
Example six
The embodiment also discloses a hard disk, including:
the hard disk encryption and decryption device according to the foregoing embodiment; or (b)
The electronic device as in the previous embodiments.
Optionally, the hard disk includes a SATA hard disk, and may further include a hard disk or a USB disk (USB flash disk, simply referred to as a USB disk) supporting SATA protocols.
It will be understood by those skilled in the art that, in the embodiment of the present application, the second interface module of the hard disk encryption/decryption device is used to connect to the hard disk disclosed in the embodiment.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, each module included in the hard disk and a specific working process of the modules may refer to a corresponding process in the foregoing apparatus embodiment and method embodiment, and this embodiment will not be repeated here.
Example seven
The embodiment also discloses an I/O interface configured in a computer or a mobile terminal, where the I/O interface includes:
the hard disk encryption and decryption device according to the foregoing embodiment; or (b)
The electronic device as in the previous embodiments.
Optionally, the computer includes a personal computer, other host devices used in the manufacturing field, and the like; the mobile terminal comprises a mobile intelligent device or a wearable device carrying the intelligent OS, and the like.
It can be clearly understood by those skilled in the art that, for convenience and brevity of description, each module included in the I/O interface and a specific working process of the modules may refer to a corresponding process in the foregoing apparatus embodiment and method embodiment, and this embodiment will not be repeated herein.
In summary, the hard disk encryption and decryption device, the hard disk encryption method, the hard disk decryption method, the storage medium, the electronic device, the hard disk and the I/O interface provided in the present application, the hard disk encryption and decryption device includes: the first interface module is electrically connected with the first storage module and is used for connecting an upper computer; the second interface module is electrically connected with the second storage module and is used for connecting a target hard disk; the first storage module is electrically connected with the first interface module and the encryption and decryption module respectively and is used for storing the data to be encrypted sent by the upper computer, and the second storage module is used for storing the encrypted data obtained after the encryption operation is performed on the data to be encrypted under the condition that the first storage module stores the data to be encrypted; the second storage module is electrically connected with the second interface module and the encryption and decryption module respectively and is also used for storing data to be decrypted read from the target hard disk, and the first storage module is also used for storing decrypted data obtained after decryption operation is performed on the data to be decrypted under the condition that the second storage module stores the data to be decrypted; the control module is electrically connected with the first interface module and the second interface module respectively and is used for sending an encryption instruction to enable the encryption and decryption module to execute encryption operation on the data to be encrypted to obtain encrypted data and sending the encrypted data to the second storage module; or, the encryption and decryption module is used for sending a decryption instruction to enable the encryption and decryption module to execute decryption operation on the data to be decrypted to obtain decrypted data, and sending the decrypted data to the first storage module; the encryption and decryption module is in communication connection with the control module and is used for executing encryption operation on the data to be encrypted in the first storage module in response to the encryption instruction; or, the decryption operation is performed on the data to be decrypted in the second storage module in response to the decryption instruction; wherein the first memory module and the second memory module each comprise a FIFO memory. In the process of encrypting and decrypting the hard disk, SATA DMA (direct memory access Direct Memory Access, DMA for short) writes data into one side of a pipeline, directly reads the encrypted/decrypted data from the other side, integrates an encryption and decryption module inside, only needs a small-capacity FIFO, and the data flow control is controlled by hardware through a bus, so that data with any length can be transmitted; the buffer area is not needed, only one FIFO with small capacity is needed, and the production cost can be greatly reduced; in the encryption pipeline mode, SATA data is directly written into the FIFO, the encryption and decryption module is also used for directly reading and writing the FIFO, the need of data copying does not need to be copied back and forth to a buffer area, the copying times are reduced, and the operation time is saved; the controller has low occupancy rate, so the transmission speed is high; the data transmission and encryption and decryption processes are all controlled by hardware, the DMA of the SATA controllers at two sides can be started at the same time, and one command is only transmitted by one DMA, which is equivalent to the mode of not bridging SATA direct connection, and the highest transmission speed approaching to the SATA protocol can be realized.
It should be further understood that the methods or systems disclosed in the embodiments provided herein may be implemented in other manners. The above-described method or system embodiments are merely illustrative, for example, flow diagrams and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of methods and apparatuses according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, a computer program segment, or a portion of a computer program, which comprises one or more computer programs for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures, and in fact may be executed substantially concurrently, or in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer programs.
In this application, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, apparatus or device comprising such elements; if any, the terms "first," "second," etc. are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of features indicated or implicitly indicating the precedence of features indicated; in the description of the present application, unless otherwise indicated, the terms "plurality", "multiple" and "multiple" mean at least two; if the description is to a server, it should be noted that the server may be an independent physical server or terminal, or may be a server cluster formed by a plurality of physical servers, or may be a cloud server capable of providing basic cloud computing services such as a cloud server, a cloud database, a cloud storage, a CDN, and the like; in this application, if an intelligent terminal or a mobile device is described, it should be noted that the intelligent terminal or the mobile device may be a mobile phone, a tablet computer, a smart watch, a netbook, a wearable electronic device, a personal digital assistant (Personal Digital Assistant, PDA), an augmented Reality device (Augmented Reality, AR), a Virtual Reality device (VR), an intelligent television, an intelligent sound device, a personal computer (Personal Computer, PC), etc., but the present application is not limited thereto.
Finally it is pointed out that in the description of the present specification, the terms "one embodiment," "some embodiments," "example," "one example" or "some examples" and the like refer to particular features, structures, materials or characteristics described in connection with the embodiment or example as being included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiments or examples. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
While embodiments of the present application have been illustrated and described above, it should be understood that the above-described embodiments are illustrative only and are not intended to limit the present application to the details of the embodiments employed to facilitate the understanding of the present application. Any person skilled in the art to which this application pertains will be able to make any modifications and variations in form and detail of implementation without departing from the spirit and scope of the disclosure, but the scope of protection of this application shall be subject to the scope of the claims that follow.

Claims (9)

1. A hard disk encryption/decryption device, the device comprising:
the first interface module is electrically connected with the first storage module and is used for being connected with an upper computer, wherein the first interface module comprises a SATA interface;
the second interface module is electrically connected with the second storage module and is used for connecting a target hard disk, wherein the second interface module comprises a SATA interface;
the first storage module is electrically connected with the first interface module and the encryption and decryption module respectively and is used for storing the data to be encrypted sent by the upper computer, and the second storage module is used for storing the encrypted data obtained after the symmetric encryption operation is performed on the data to be encrypted under the condition that the first storage module stores the data to be encrypted; the first interface module is connected with the first storage module through an AXI bus;
the second storage module is electrically connected with the second interface module and the encryption and decryption module respectively and is also used for storing data to be decrypted read from the target hard disk, and the first storage module is also used for storing decrypted data obtained after symmetric decryption operation is performed on the data to be decrypted under the condition that the second storage module stores the data to be decrypted; the second interface module is connected with the second storage module through an AXI bus;
The encryption and decryption module is respectively and electrically connected with the first storage module and the second storage module and is used for executing symmetrical encryption operation on the data to be encrypted under the condition that the data to be encrypted is received in the first storage module; or, the device is used for executing symmetric decryption operation on the data to be decrypted under the condition that the data to be decrypted is received in the second storage module;
the control module comprises a microcontroller; the control module is electrically connected with the first interface module, the second interface module and the encryption and decryption module respectively and is used for initializing the first interface module, the second interface module and the encryption and decryption module before the encryption and decryption module executes symmetric encryption or symmetric decryption operation; wherein the initializing operation includes: configuring the data length and the data storage position accepted by the first interface module and the second interface module, configuring the algorithm of the encryption and decryption module, and analyzing a SATA protocol; wherein, the control module still includes: the receiving unit is used for reading the FIS information of the data to be written from the first interface module when the upper computer executes the writing operation; the analysis unit is used for analyzing the FIS information of the data to be written according to a preset analysis rule so as to obtain the storage information of the data to be written in the hard disk; the configuration unit is used for sending the storage information to the second interface module so as to ensure that the data to be written is successfully written into the hard disk; the configuration unit is further used for configuring transmission registers of the first interface module and the second interface module, and configuring a key of the encryption and decryption module;
The first storage module and the second storage module both comprise FIFO memories, and encryption and decryption are carried out in real time in a data stream mode through the encryption and decryption module, the first storage module and the second storage module.
2. A hard disk encryption method, characterized in that it is implemented based on the hard disk encryption and decryption device according to claim 1, said method comprising:
responding to a data writing instruction sent by the upper computer, and writing data to be encrypted into a first memory through a first interface module;
under the condition that the first memory is detected to receive the data to be encrypted, performing symmetric encryption operation on the data to be encrypted through an encryption and decryption module to obtain encrypted data;
moving the encrypted data from the first memory to a second memory;
and writing the encrypted data into the hard disk when the second memory is detected to receive the encrypted data.
3. The hard disk encryption method according to claim 2, further comprising:
and under the condition that the first memory sends out a full signal, executing back pressure operation on the first interface module so as to control the upper computer to stop writing data operation.
4. A hard disk decryption method, characterized in that it is implemented based on the hard disk encryption and decryption device according to claim 1, said method comprising:
reading encrypted data in the hard disk to a second memory through a second interface module in response to a data reading instruction sent by the upper computer;
under the condition that the second memory is detected to receive the encrypted data, performing symmetric decryption operation on the encrypted data through an encryption and decryption module to obtain decrypted data;
moving the decrypted data from the second memory to a first memory;
and under the condition that the first memory is detected to receive the decrypted data, reading the decrypted data into the upper computer.
5. The hard disk decryption method of claim 4, further comprising:
and under the condition that the second memory sends out a null signal, executing a blocking operation on the second interface module to stop executing a data reading operation on the hard disk.
6. A computer readable storage medium storing a computer program which, when executed by one or more processors, implements the method of any one of claims 2-3 or 4-5.
7. An electronic device comprising a memory and one or more processors, the memory having stored thereon a computer program, the memory and the one or more processors being communicatively coupled to each other, the computer program, when executed by the one or more processors, performing the method of any of claims 2-3 or 4-5.
8. A hard disk comprising:
the hard disk encryption/decryption device of claim 1; or (b)
The electronic device of claim 7.
9. An I/O interface configured in a computer or a mobile terminal, the I/O interface comprising:
the hard disk encryption/decryption device of claim 1; or (b)
The electronic device of claim 7.
CN202211276219.5A 2022-10-19 2022-10-19 Hard disk encryption and decryption device and method, hard disk and I/O interface Active CN115344881B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211276219.5A CN115344881B (en) 2022-10-19 2022-10-19 Hard disk encryption and decryption device and method, hard disk and I/O interface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211276219.5A CN115344881B (en) 2022-10-19 2022-10-19 Hard disk encryption and decryption device and method, hard disk and I/O interface

Publications (2)

Publication Number Publication Date
CN115344881A CN115344881A (en) 2022-11-15
CN115344881B true CN115344881B (en) 2023-07-04

Family

ID=83957515

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211276219.5A Active CN115344881B (en) 2022-10-19 2022-10-19 Hard disk encryption and decryption device and method, hard disk and I/O interface

Country Status (1)

Country Link
CN (1) CN115344881B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115795519B (en) * 2023-01-18 2023-05-09 苏州浪潮智能科技有限公司 Data encryption and decryption processing method and device, electronic equipment and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105229592B (en) * 2013-03-15 2018-04-10 马维尔国际贸易有限公司 For generating the apparatus and method to access the descriptor of the nonvolatile semiconductor memory of memory driver again due to mistake
CN106169041B (en) * 2016-07-06 2019-05-28 于哲 A kind of safety encryption mobile hard disk and its data transmission method based on USBKEY authentication
CN112084138A (en) * 2020-08-21 2020-12-15 杭州电子科技大学 SoC (system on chip) security disk control chip architecture design method for trusted storage
CN113220498A (en) * 2021-05-08 2021-08-06 青芯半导体科技(上海)有限公司 Embedded Flash controller supporting encrypted storage
CN114564234A (en) * 2022-02-23 2022-05-31 北京奕斯伟计算技术有限公司 Processing apparatus, method and system for performing data processing on a plurality of channels
CN114546277A (en) * 2022-02-23 2022-05-27 北京奕斯伟计算技术有限公司 Device, method, processing device and computer system for accessing data

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
谭帆.可配置加密算法的SATA桥接器的设计与实现.《微电子学与计算机》.2013,第22-30页. *

Also Published As

Publication number Publication date
CN115344881A (en) 2022-11-15

Similar Documents

Publication Publication Date Title
JP4698982B2 (en) Storage system that performs cryptographic processing
KR102109431B1 (en) Transmission of multiple protocol data elements via an interface utilizing a data tunnel
US20020071450A1 (en) Host-fabric adapter having bandwidth-optimizing, area-minimal, vertical sliced memory architecture and method of connecting a host system to a channel-based switched fabric in a data network
KR100823734B1 (en) Data acceleration apparatus for iSCSI and iSCSI storage system using the same
EP2791810B1 (en) System and method of sending data via a plurality of data lines on a bus
TWI620093B (en) Method and apparatus for securing computer mass storage data
US8788726B2 (en) Data transmission system, storage medium and data transmission program
CN101840306B (en) Method and system for driving SATA (Serial Advanced Technology Attachment) device in VxWorks operating system
KR20030087025A (en) Methodology and mechanism for remote key validation for ngio/infiniband applications
US5958024A (en) System having a receive data register for storing at least nine data bits of frame and status bits indicating the status of asynchronous serial receiver
CN115344881B (en) Hard disk encryption and decryption device and method, hard disk and I/O interface
US10740000B2 (en) Adaptive transaction layer packet for latency balancing
JP4347351B2 (en) Data encryption apparatus, data decryption apparatus, data encryption method, data decryption method, and data relay apparatus
CN115549911B (en) Encryption and decryption system, method, processor and server
US20040268088A1 (en) Controlling memory access devices in a data driven architecture mesh array
US7191262B2 (en) High-throughput UART interfaces
US8086879B2 (en) Powering on devices via intermediate computing device
GB2501587A (en) Managing a storage device using a hybrid controller
JP3989376B2 (en) Communications system
CN115543882B (en) Data forwarding device and data transmission method between buses with different bit widths
JP2003050788A (en) Apparatus and method for distribution of signal from high level data link controller to multiple digital signal processor core
CN111083104A (en) Method and system for realizing simultaneous access of host to internal and external networks
CN114547663B (en) Method for realizing data encryption, decryption and reading of high-speed chip based on USB interface
CN106970889B (en) SATA bridge chip and working method thereof
CN210836072U (en) Bridge chip for converting stream encryption USB interface into FIFO interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant